pumuki 6.3.36 → 6.3.37

package/VERSION

@@ -1 +1 @@
-v6.3.36
+v6.3.37

package/docs/CONFIGURATION.md

@@ -229,7 +229,7 @@ Expected JSONL keys for enterprise audit ingestion:
 - `schema=telemetry_event_v1` with `schema_version=1.0`
 - `stage`, `gate_outcome`, `severity_counts`
 - `policy.bundle`, `policy.hash`, `policy.version`, `policy.signature`, `policy.policy_source`
-- `policy.validation_status`, `policy.validation_code` (when policy-as-code validation is available)
+- `policy.validation_status`, `policy.validation_code` (when policy-as-code validation is available; status can be `valid|invalid|expired|unknown-source|unsigned`)
 
 ## Heuristic pilot flag
 

package/docs/RELEASE_NOTES.md

@@ -5,6 +5,24 @@ Detailed commit history remains available through Git history (`git log` / `git
 
 ## 2026-03 (enterprise hardening updates)
 
+### 2026-03-04 (v6.3.37)
+
+- Policy-as-code enterprise hardening shipped:
+  - strict mode now blocks unsigned runtime policy metadata with deterministic code `POLICY_AS_CODE_UNSIGNED`.
+  - lifecycle outputs now expose policy validation metadata in `status --json`, `doctor --json`, and `sdd validate --json`.
+  - telemetry/evidence contract now supports policy validation status `unsigned`.
+- Traceability:
+  - implementation issue: `#606`
+  - implementation PR: `#608`
+  - tracking sync PR: `#609`
+- Consumer quick verification:
+  - `npx --yes --package pumuki@latest pumuki status --json`
+  - `npx --yes --package pumuki@latest pumuki doctor --json`
+  - `PUMUKI_POLICY_STRICT=1 npx --yes --package pumuki@latest pumuki-pre-commit`
+  - expected signal:
+    - JSON includes `policyValidation.stages.*.validationCode`.
+    - strict mode blocks unsigned contracts with `POLICY_AS_CODE_UNSIGNED`.
+
 ### 2026-03-04 (v6.3.36)
 
 - SDD orchestration hardening shipped:

package/docs/registro-maestro-de-seguimiento.md

@@ -7,8 +7,8 @@
 ## Estado actual
 - Plan activo: `docs/seguimiento-completo-validacion-ruralgo-03-03-2026.md`
 - Estado del plan: EN CURSO
-- Última task cerrada (`✅`): `P12.F2.T70` (comando orquestador `pumuki sdd auto-sync`, issue `#600`, PR `#602`, commit `2be34c5`).
-- Task activa (`🚧`): `P12.F2.T71` (publicar release `6.3.36` con `auto-sync`, issue `#603`).
+- Última task cerrada (`✅`): `P12.F2.T72` (hardening `policy-as-code` completado: issue `#606` cerrada con PR `#608`).
+- Task activa (`🚧`): `P12.F2.T73` (preparar/publicar release incremental con el hardening de `#606`).
 
 ## Historial resumido
 - No se mantienen MDs históricos de seguimiento en este repositorio.

package/docs/seguimiento-completo-validacion-ruralgo-03-03-2026.md

@@ -1968,11 +1968,36 @@ Criterio de salida F5:
     - `npx --yes tsx@4.21.0 --test integrations/sdd/__tests__/syncDocs.test.ts integrations/sdd/__tests__/index.test.ts integrations/lifecycle/__tests__/cli.test.ts` => `44 passed, 0 failed`.
     - `npm run -s typecheck` => `exit 0`.
 
-- 🚧 `P12.F2.T71` Publicar release `6.3.36` con `pumuki sdd auto-sync` (`#603`).
-  - salida esperada:
+- ✅ `P12.F2.T71` Publicar release `6.3.36` con `pumuki sdd auto-sync` (`#603`).
+  - cierre ejecutado:
     - versionado a `6.3.36` en `package.json`, `package-lock.json` y `VERSION`.
-    - release notes actualizadas con entrada `v6.3.36`.
-    - publicación npm validada (`latest=6.3.36`) + smoke de `--help` mostrando `auto-sync`.
+    - release notes actualizadas con entrada `2026-03-04 (v6.3.36)` en `docs/RELEASE_NOTES.md`.
+    - publicación npm ejecutada con éxito (`npm publish --access public`).
+    - propagación validada:
+      - `npm view pumuki dist-tags --json` => `"latest": "6.3.36"`.
+      - smoke `@latest` con `--help` mostrando `pumuki sdd auto-sync ...`.
+  - evidencia:
+    - `npx --yes tsx@4.21.0 --test integrations/sdd/__tests__/syncDocs.test.ts integrations/sdd/__tests__/index.test.ts integrations/lifecycle/__tests__/cli.test.ts` => `44 passed, 0 failed`.
+    - `npm run -s typecheck` => `exit 0`.
+    - `npm publish --access public` => `+ pumuki@6.3.36`.
+    - `npm view pumuki@6.3.36 version` => `6.3.36`.
+
+- ✅ `P12.F2.T72` Hardening enterprise policy-as-code firmada/versionada (`#606`).
+  - cierre ejecutado:
+    - modo estricto bloquea política no firmada con código determinista `POLICY_AS_CODE_UNSIGNED`.
+    - `status`, `doctor` y `sdd validate --json` exponen metadatos de validación de policy (`source/bundle/hash/version/signature/status/code/strict`).
+    - telemetría/evidence alineadas con estado adicional `unsigned`.
+    - cobertura de regresión añadida para strict unsigned + metadatos lifecycle.
+    - issue cerrada: `#606`.
+    - PR mergeada: `#608` (`commit 881eac8`).
+  - evidencia:
+    - `npx --yes tsx@4.21.0 --test integrations/gate/__tests__/stagePolicies.test.ts integrations/git/__tests__/runPlatformGate.test.ts integrations/lifecycle/__tests__/status.test.ts integrations/lifecycle/__tests__/doctor.test.ts integrations/lifecycle/__tests__/cli.test.ts` => `81 passed, 0 failed`.
+    - `npm run -s typecheck` => `exit 0`.
+
+- 🚧 `P12.F2.T73` Preparar y publicar release con el hardening de `#606`.
+  - salida esperada:
+    - versionar release incremental y notas de publicación.
+    - publicar en npm y verificar propagación `dist-tags`.
 
 Criterio de salida F6:
 - veredicto final trazable y cierre administrativo completo.

package/integrations/evidence/schema.ts

@@ -89,7 +89,7 @@ export type RulesetState = {
   version?: string;
   signature?: string;
   source?: string;
-  validation_status?: 'valid' | 'invalid' | 'expired' | 'unknown-source';
+  validation_status?: 'valid' | 'invalid' | 'expired' | 'unknown-source' | 'unsigned';
   validation_code?: string;
   degraded_mode_enabled?: boolean;
   degraded_mode_action?: 'allow' | 'block';

package/integrations/gate/stagePolicies.ts

@@ -49,9 +49,10 @@ export type ResolvedStagePolicy = {
     signature?: string;
     policySource?: string;
     validation?: {
-      status: 'valid' | 'invalid' | 'expired' | 'unknown-source';
+      status: 'valid' | 'invalid' | 'expired' | 'unknown-source' | 'unsigned';
       code:
         | 'POLICY_AS_CODE_VALID'
+        | 'POLICY_AS_CODE_UNSIGNED'
         | 'POLICY_AS_CODE_CONTRACT_INVALID'
         | 'POLICY_AS_CODE_CONTRACT_EXPIRED'
         | 'POLICY_AS_CODE_SIGNATURE_MISMATCH'
@@ -307,6 +308,21 @@ const resolvePolicyAsCodeTraceMetadata = (params: {
   const contractPath = join(params.repoRoot, POLICY_AS_CODE_CONTRACT_PATH);
 
   if (!existsSync(contractPath)) {
+    if (strict) {
+      return {
+        version: computedVersion,
+        signature: computedSignature,
+        policySource: 'computed-local',
+        validation: {
+          status: 'unsigned',
+          code: 'POLICY_AS_CODE_UNSIGNED',
+          message:
+            'Policy-as-code contract is missing; runtime policy metadata is unsigned.',
+          strict,
+        },
+      };
+    }
+
     return {
       version: computedVersion,
       signature: computedSignature,

package/integrations/lifecycle/cli.ts

@@ -10,6 +10,10 @@ import {
 import { runLifecycleInstall } from './install';
 import { runLifecycleRemove } from './remove';
 import { readLifecycleStatus } from './status';
+import {
+  readLifecyclePolicyValidationSnapshot,
+  type LifecyclePolicyValidationSnapshot,
+} from './policyValidationSnapshot';
 import { runLifecycleUninstall } from './uninstall';
 import { runLifecycleUpdate } from './update';
 import { runOpenSpecBootstrap } from './openSpecBootstrap';
@@ -977,6 +981,11 @@ const printDoctorReport = (
   writeInfo(
     `[pumuki] hook pre-push: ${report.hookStatus['pre-push'].managedBlockPresent ? 'managed' : 'missing'}`
   );
+  writeInfo(
+    `[pumuki] policy-as-code: PRE_COMMIT=${report.policyValidation.stages.PRE_COMMIT.validationCode ?? 'n/a'} strict=${report.policyValidation.stages.PRE_COMMIT.strict ? 'yes' : 'no'} ` +
+    `PRE_PUSH=${report.policyValidation.stages.PRE_PUSH.validationCode ?? 'n/a'} strict=${report.policyValidation.stages.PRE_PUSH.strict ? 'yes' : 'no'} ` +
+    `CI=${report.policyValidation.stages.CI.validationCode ?? 'n/a'} strict=${report.policyValidation.stages.CI.strict ? 'yes' : 'no'}`
+  );
 
   for (const issue of report.issues) {
     writeInfo(`[pumuki] ${issue.severity.toUpperCase()}: ${issue.message}`);
@@ -1016,6 +1025,7 @@ const PRE_WRITE_INSTALL_REMEDIATION_COMMAND =
 type PreWriteValidationEnvelope = {
   sdd: ReturnType<typeof evaluateSddPolicy>;
   ai_gate: ReturnType<typeof evaluateAiGate>;
+  policy_validation: LifecyclePolicyValidationSnapshot;
   automation: PreWriteAutomationTrace;
   bootstrap: {
     enabled: boolean;
@@ -1229,12 +1239,14 @@ const resolveAiGateViolationLocation = (code: string) => {
 const buildPreWriteValidationEnvelope = (
   result: ReturnType<typeof evaluateSddPolicy>,
   aiGate: ReturnType<typeof evaluateAiGate>,
+  policyValidation: LifecyclePolicyValidationSnapshot,
   automation: PreWriteAutomationTrace,
   bootstrap: PreWriteOpenSpecBootstrapTrace,
   nextAction: PreWriteValidationEnvelope['next_action']
 ): PreWriteValidationEnvelope => ({
   sdd: result,
   ai_gate: aiGate,
+  policy_validation: policyValidation,
   automation: {
     attempted: automation.attempted,
     actions: [...automation.actions],
@@ -1398,6 +1410,11 @@ export const runLifecycleCli = async (
           writeInfo(
             `[pumuki] tracked node_modules paths: ${status.trackedNodeModulesCount}`
           );
+          writeInfo(
+            `[pumuki] policy-as-code: PRE_COMMIT=${status.policyValidation.stages.PRE_COMMIT.validationCode ?? 'n/a'} strict=${status.policyValidation.stages.PRE_COMMIT.strict ? 'yes' : 'no'} ` +
+            `PRE_PUSH=${status.policyValidation.stages.PRE_PUSH.validationCode ?? 'n/a'} strict=${status.policyValidation.stages.PRE_PUSH.strict ? 'yes' : 'no'} ` +
+            `CI=${status.policyValidation.stages.CI.validationCode ?? 'n/a'} strict=${status.policyValidation.stages.CI.strict ? 'yes' : 'no'}`
+          );
           if (remoteCiDiagnostics) {
             printRemoteCiDiagnostics(remoteCiDiagnostics);
           }
@@ -1656,6 +1673,7 @@ export const runLifecycleCli = async (
           let result = evaluateSddPolicy({
             stage: parsed.sddStage ?? 'PRE_COMMIT',
           });
+          const policyValidation = readLifecyclePolicyValidationSnapshot(process.cwd());
           const preWriteAutoBootstrapEnabled = process.env.PUMUKI_PREWRITE_AUTO_BOOTSTRAP !== '0';
           const preWriteBootstrapTrace: PreWriteOpenSpecBootstrapTrace = {
             enabled: preWriteAutoBootstrapEnabled,
@@ -1727,11 +1745,15 @@ export const runLifecycleCli = async (
                   ? buildPreWriteValidationEnvelope(
                     result,
                     aiGate,
+                    policyValidation,
                     automationTrace,
                     preWriteBootstrapTrace,
                     nextAction
                   )
-                  : result,
+                  : {
+                    ...result,
+                    policy_validation: policyValidation,
+                  },
                 null,
                 2
               )
@@ -1740,6 +1762,11 @@ export const runLifecycleCli = async (
             writeInfo(
               `[pumuki][sdd] stage=${result.stage} allowed=${result.decision.allowed ? 'yes' : 'no'} code=${result.decision.code}`
             );
+            writeInfo(
+              `[pumuki][sdd] policy-as-code: PRE_COMMIT=${policyValidation.stages.PRE_COMMIT.validationCode ?? 'n/a'} strict=${policyValidation.stages.PRE_COMMIT.strict ? 'yes' : 'no'} ` +
+              `PRE_PUSH=${policyValidation.stages.PRE_PUSH.validationCode ?? 'n/a'} strict=${policyValidation.stages.PRE_PUSH.strict ? 'yes' : 'no'} ` +
+              `CI=${policyValidation.stages.CI.validationCode ?? 'n/a'} strict=${policyValidation.stages.CI.strict ? 'yes' : 'no'}`
+            );
             writeInfo(
               withOptionalLocation(
                 `[pumuki][sdd] ${result.decision.message}`,

package/integrations/lifecycle/doctor.ts

@@ -5,6 +5,10 @@ import { resolvePolicyForStage } from '../gate/stagePolicies';
 import { getPumukiHooksStatus } from './hookManager';
 import { LifecycleGitService, type ILifecycleGitService } from './gitService';
 import { getCurrentPumukiVersion } from './packageInfo';
+import {
+  readLifecyclePolicyValidationSnapshot,
+  type LifecyclePolicyValidationSnapshot,
+} from './policyValidationSnapshot';
 import { readLifecycleState, type LifecycleState } from './state';
 import {
   detectOpenSpecInstallation,
@@ -71,6 +75,7 @@ export type LifecycleDoctorReport = {
   lifecycleState: LifecycleState;
   trackedNodeModulesPaths: ReadonlyArray<string>;
   hookStatus: ReturnType<typeof getPumukiHooksStatus>;
+  policyValidation: LifecyclePolicyValidationSnapshot;
   issues: ReadonlyArray<DoctorIssue>;
   deep?: DoctorDeepReport;
 };
@@ -653,6 +658,7 @@ export const runLifecycleDoctor = (params?: {
     lifecycleState,
     trackedNodeModulesPaths,
     hookStatus,
+    policyValidation: readLifecyclePolicyValidationSnapshot(repoRoot),
     issues,
     deep,
   };

package/integrations/lifecycle/policyValidationSnapshot.ts

@@ -0,0 +1,51 @@
+import type { SkillsStage } from '../config/skillsLock';
+import {
+  resolvePolicyForStage,
+  type ResolvedStagePolicy,
+} from '../gate/stagePolicies';
+
+export type LifecyclePolicyValidationStageSnapshot = {
+  source: ResolvedStagePolicy['trace']['source'];
+  bundle: string;
+  hash: string;
+  version: string | null;
+  signature: string | null;
+  policySource: string | null;
+  validationStatus: NonNullable<ResolvedStagePolicy['trace']['validation']>['status'] | null;
+  validationCode: NonNullable<ResolvedStagePolicy['trace']['validation']>['code'] | null;
+  strict: boolean;
+};
+
+export type LifecyclePolicyValidationSnapshot = {
+  stages: Record<SkillsStage, LifecyclePolicyValidationStageSnapshot>;
+};
+
+const POLICY_STAGES: ReadonlyArray<SkillsStage> = ['PRE_COMMIT', 'PRE_PUSH', 'CI'];
+
+const toStageSnapshot = (
+  resolved: ResolvedStagePolicy
+): LifecyclePolicyValidationStageSnapshot => {
+  return {
+    source: resolved.trace.source,
+    bundle: resolved.trace.bundle,
+    hash: resolved.trace.hash,
+    version: resolved.trace.version ?? null,
+    signature: resolved.trace.signature ?? null,
+    policySource: resolved.trace.policySource ?? null,
+    validationStatus: resolved.trace.validation?.status ?? null,
+    validationCode: resolved.trace.validation?.code ?? null,
+    strict: resolved.trace.validation?.strict ?? false,
+  };
+};
+
+export const readLifecyclePolicyValidationSnapshot = (
+  repoRoot: string
+): LifecyclePolicyValidationSnapshot => {
+  const resolvedByStage = Object.fromEntries(
+    POLICY_STAGES.map((stage) => [stage, toStageSnapshot(resolvePolicyForStage(stage, repoRoot))])
+  ) as Record<SkillsStage, LifecyclePolicyValidationStageSnapshot>;
+
+  return {
+    stages: resolvedByStage,
+  };
+};

package/integrations/lifecycle/status.ts

@@ -1,6 +1,10 @@
 import { getPumukiHooksStatus } from './hookManager';
 import { LifecycleGitService, type ILifecycleGitService } from './gitService';
 import { getCurrentPumukiVersion } from './packageInfo';
+import {
+  readLifecyclePolicyValidationSnapshot,
+  type LifecyclePolicyValidationSnapshot,
+} from './policyValidationSnapshot';
 import { readLifecycleState, type LifecycleState } from './state';
 
 export type LifecycleStatus = {
@@ -9,6 +13,7 @@ export type LifecycleStatus = {
   lifecycleState: LifecycleState;
   hookStatus: ReturnType<typeof getPumukiHooksStatus>;
   trackedNodeModulesCount: number;
+  policyValidation: LifecyclePolicyValidationSnapshot;
 };
 
 export const readLifecycleStatus = (params?: {
@@ -26,5 +31,6 @@ export const readLifecycleStatus = (params?: {
     lifecycleState: readLifecycleState(git, repoRoot),
     hookStatus: getPumukiHooksStatus(repoRoot),
     trackedNodeModulesCount,
+    policyValidation: readLifecyclePolicyValidationSnapshot(repoRoot),
   };
 };

package/integrations/telemetry/gateTelemetry.ts

@@ -25,7 +25,7 @@ type PolicyTrace = ResolvedStagePolicy['trace'] & {
   signature?: string;
   policySource?: string;
   validation?: {
-    status: 'valid' | 'invalid' | 'expired' | 'unknown-source';
+    status: 'valid' | 'invalid' | 'expired' | 'unknown-source' | 'unsigned';
     code: string;
   };
   degraded?: {
@@ -189,7 +189,7 @@ export type GateTelemetryEventV1 = {
     version?: string;
     signature?: string;
     policy_source?: string;
-    validation_status?: 'valid' | 'invalid' | 'expired' | 'unknown-source';
+    validation_status?: 'valid' | 'invalid' | 'expired' | 'unknown-source' | 'unsigned';
     validation_code?: string;
     degraded_mode_enabled?: boolean;
     degraded_mode_action?: 'allow' | 'block';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.36",
+  "version": "6.3.37",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {